The Unethical CIO

Sad story, but typical. ?Most of our universities and colleges do a poor job educating leaders about computing, process, security, how to effectively manage risks, or how to deal with significant change. It's time to reflect on Hamming's Turing Award lecture, where he said: "Indeed, one of my major complaints about the computer field is that whereas Newton could say, "If I have seen a little farther than others, it is because I have stood on the shoulders of giants," I am forced to say, "Today we stand on each other's feet." Perhaps the central problem we face in all of computer science is how we are to get to the situation where we build on top of the work of others rather than redoing so much of it in a trivially different way. Science is supposed to be cumulative, not almost endless duplication of the same kind of things." We do not teach programmers how to write code that can survive hackers, let alone practice it until they are good at it. ?When some do teach "security", it is mostly forensics and the course is usually a graduate course... it certainly is not part of the undergraduate core! ?With kids learning to program at an ever younger age (Have you seen Apple's Swift Playgrounds?), how many years before they will learn about engineering discipline, DevOps, or cybersecurity in order to know how to do things right? ?All of those years will cement bad habits into their behaviors and it will take a great deal of time, effort, and someone's money for them to unlearn those bad habits before they can really start leveraging the good work in cybersecurity that *has* been done. Indeed, far too many are standing on the feet of others who've experienced significant pain and loss. Elise McGill??Brenna S.? Eduardo Diaz, PhD

Australian public service through and through. Extremely sad and really hurts when you see our tax dollars being so blatantly wasted and medical information at risk.

Good summary Benjamin, and unfortunately a far too common scenario. Maybe time to not lose the customer but properly educate them with the balance of theoretical risk, practical business threat mitigation, and a NEW psychological modification of thinking. The mindset to question or state "but it won't happen here" is a natural response. Thinking the worse does not help practical implementation. Thinking things are all rosy and in place is not a realistic decision given evidence to the contrary. What is the solution? Understanding that the cybersecurity effectiveness of an organization is RARELY the technology available to protect, detect, and respond. The problem is and ever will be until there is a mindshift, the thought culture of risk decision making and people effectiveness of the human element that are the key to vulnerable social engineering, selection of technology and implementation of the processes effectively. Thinking like a black hat (redteam, pentest etc) is needed, but only one part of the solution. Not everyone understands or believes a BlackHat is a real or viable threat. Impact analysis of the business is not blended from realistic human scenarios. People making decisions are not thinking Blackhat.

Happens all the time. I've had 5 architects argue that the identified risk is wrong, in time I was proven right resulting in lots of job losses as the risk scenario became a reality.? At the end of the day if you don't have top down buy-in then walk away. Techos are proud and ego maniacs so you need to get support at the top otherwise your report is flicked aside as just another opinion rather than an independent review of risk based on world class security standards.?

Unfortunately not uncommon. We, as professionals have only one integrity to loose - so we have to stand our ground. One way of doing it is to make sure that the findings are presented in as a persuasive narrative that is hard to ignore. It might not always work, especially with individuals such as mentioned in Benjamin's story, but it definitely helps.